Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

EnCase Computer Forensics I Syllabus

GUIDANCE SOFTWARE | EnCase Forensic v7
EnCase Computer Forensics I Syllabus
Day 1
Day 2
Day one starts with instruction on using EnCase® Forensic version 7 to
Day two begins with a practical exercise on the techniques learned on
create a new case and navigating in the EnCase Forensic v7 interface.
the previous day for creating an evidence file and then continues with
Attendees are shown how to use EnCase Forensic v7 to acquire a
an explanation of how computers work (paying particular regard to the
complete copy of the data from removable media in a forensically
associated impact on forensic examination). Hard disk acquisition is covered,
sound manner. The concept of digital evidence and how to verify
using a forensically sound Linux CD, LinEn, and drive-to-drive connection
evidence are also included.
methods. The students will learn how to properly preview a computer system
The main areas covered on day one include:
prior to acquisition, using the Direct Network Preview function. Attendees
will learn how to bookmark data and use the tagging feature included in
• Creating a case file in EnCase Forensic v7
EnCase Forensic v7. Instruction will proceed with a detailed discussion
• Navigating within the EnCase Forensic v7 environment
of the FAT file systems as well as an overview of the NT and ExFAT file
• Understanding the concept of digital evidence and its impact on an investigation
systems and the attendees will learn how to properly process evidence files.
• The importance and practicalities of evidence handling
• EnCase Forensic v7 concepts
– Safeguarding and preserving evidential data
• The basics of acquiring a forensically sound copy of
data from removable media, including the use of the
Guidance Software write-blocking software, FastBloc® SE
• Verification of an evidence file to demonstrate validity
– How to conduct a test, validating that hash and CRC
values or data block validation used in the evidence file
integrity check verify the evidence files
The main areas covered on day two include:
• Understanding how computers work
– Hardware and associated terminology
– The CMOS, BIOS, and boot sequence
– Interpreting binary and hexadecimal data
– The basics of text encoding
• Acquisition of a hard disk or other media from a powered-off
computer using LinEn
• How to use the Direct Network Preview function to preview a
live running computer and the abilities to capture RAM and
process memory will also be shown
• Bookmarking and tagging search results
• NT/FAT/ExFAT File Systems
– How these file systems track data on their respective
volumes as well as what occurs when a file is created
or deleted
• Processing evidence
– Using the EnCase® Evidence Processor
– Preparing evidence for processing
– Managing and using the various Evidence Processor
settings and toolbars
www.encase.com
GUIDANCE SOFTWARE | EnCase Forensic v7
Day 3
Day 4
Day three begins with an introduction to the basic methods of search
Day four with a practical exercise on conducting signature and hash
techniques and how to view the results. Instruction continues on file
analyses. The day’s instruction begins with a lesson on searching and
descriptions and the use of file signatures to properly identify file
recovering data from unallocated space. Next, the students will learn how
types. The students will participate in a practical exercise, allowing
to compile evidence into simple reports. The remaining instruction focuses
them to practice the searching and bookmarking techniques covered
on maintaining and safekeeping evidence. Attendees will learn how to use
so far. Attendees will install external viewers within EnCase Forensic
the new Case Backup feature now included in EnCase Forensic v7. The
v7 and will then learn how to copy data from within an evidence file.
students are given advice and guidance for archiving as well as instruction
The day’s activities conclude with instruction on the principal and
on how to restore and open an archived case. The students will explore
practical usage of digital fingerprints (hash value) to identify files of
how to reacquire evidence in order to modify evidence-file parameters but
interest and exclude known files is also covered.
still maintain data integrity. Attendees will observe first-hand how EnCase
The main areas covered on day three include:
Forensic v7 can detect and identify any changes to the content of an
• Creating and conducting index search queries and raw
keyword searches
• Viewing search results
– Reviewing methods
– How to examine results
and the attendees will be given examples of good practice in this area. The
course concludes with a final practical exercise on the week’s instruction.
The main areas covered on day four include:
• Locating and recovering evidence in unallocated space
manually and by using EnScript® programs
• Installing external viewers
• File descriptions
– Discussion of the categories of files and folders and the
icons employed by EnCase Forensic v7
• Detailed copying options
• Signature analysis
– An automated comparison of the displayed file extension
with the actual content of the file
• Hash analysis
– Using unique values calculated based on file logical
content to identify and/or exclude files
evidence file. The importance of proper evidence handling will be discussed
• Basic report creation and how to use the
Review Package functionality
– Exporting reports
– Consolidating search results into a review package
• Using Case Backup to protect and secure stored evidence
• Reacquiring and restoring evidence
– Often required by court order; necessary to recover data
and/or examine the operation of the host system in real-time
• Archiving and reopening an archived case
©2014 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used
without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
www.encase.com
Related documents
EnCase® Forensic Features and Functionality
EnCase® Forensic Features and Functionality
EnCase® Forensic v7 - Digital Intelligence
EnCase® Forensic v7 - Digital Intelligence
Guidance Software Celebrates 50,000 EnCase® Students
Guidance Software Celebrates 50,000 EnCase® Students
Application Form
Application Form
Advanced Placement Biology - Montville Township School District
Advanced Placement Biology - Montville Township School District
Forensic Science
Forensic Science
forensic outline
forensic outline
History of Forensic Science Presentation
History of Forensic Science Presentation
EnCase® Version 7.09.02 Release Notes
EnCase® Version 7.09.02 Release Notes
Lab Instructions
Lab Instructions
Guidance Software Training
Guidance Software Training
The EnCE Study Guide v7
The EnCE Study Guide v7
Download